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All  Members  shall  refrain  in 
their  international  relations 
from  the  threat  or  use  of  force 
against  the  territorial  integ¬ 
rity  or  political  independence 
of  any  state,  or  in  any  other 
manner  inconsistent  with 
the  Purposes  of  the  United 
Nations. 

— Article  2(4),  Charter  of  the 
United  Nations1 


ne  of  the  many  seemingly 
intractable  legal  issues  sur¬ 
rounding  cyberspace  involves 
whether  and  when  peacetime 
cyber  operations  constitute  a  prohibited  use  of 
force  under  Article  2(4)  of  the  United  Nations 
(UN)  Charter.  Notwithstanding  a  significant 
body  of  scholarly  work  on  this  topic  and 
extensive  real-world  examples  from  which  to 
draw,  there  is  no  internationally  recognized 
definition  of  a  use  of  force.2  Rather,  what  has 
emerged  is  a  general  consensus  that  some 
cyber  operations  will  constitute  a  use  of  force, 
but  that  it  may  not  be  possible  to  identify  in 


advance  the  specific  criteria  states  will  use  in 
making  such  determinations. 

As  discussed  in  this  article,  several  ana¬ 
lytic  frameworks  have  been  developed  to  help 
assess  when  cyber  operations  constitute  a  use 
of  force.3  One  conclusion  these  frameworks 
share  is  that  cyber  operations  resulting  in 
physical  damage  or  injury  will  almost  always 
be  regarded  as  a  use  of  force.  When  these 
frameworks  were  developed,  however,  there 
were  few,  if  any,  examples  of  peacetime,  state- 
sponsored  cyber  coercion.  More  importantly, 
the  prospect  of  cyber  attacks  causing  physical 
damage  was  largely  theoretical.4  Beginning 
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in  2007,  however,  a  string  of  cyber  opera¬ 
tions— including  the  2007  Distributed  Denial 
of  Service  (DDoS)  attack  on  Estonia,  the  2008 
DDoS  attack  on  Georgia,  and  the  2008  discov¬ 
ery  that  the  U.S.  Government’s  most  sensitive 
networks  had  been  compromised— hinted  at 
increased  use  of  the  cyber  domain  by  states 
and  their  proxies  for  peacetime  coercion. 
Then,  with  the  discovery  of  the  Stuxnet  worm 


in  2010,  which  damaged  uranium  enrichment 
equipment  at  a  nuclear  facility  in  Iran,  theory 
became  reality 

Although  Stuxnet  has  been  described 
as  a  watershed  event,  there  has  been  little  aca¬ 
demic  discussion  on  whether  it  constituted  a 
use  of  force.5  Perhaps  this  is  because  it  caused 
physical  damage  and,  therefore,  clearly  consti¬ 
tutes  a  use  of  force  under  prevailing  analytic 
frameworks.  This  appears  to  be  the  emerging 
consensus.6  Although  I  generally  agree  with 
this  conclusion,  I  also  believe  that  by  looking 
beyond  the  physical  damage,  Stuxnet  provides 
a  unique  opportunity  to  assess  the  adequacy 
and  continued  relevancy  of  these  frameworks. 

As  a  first  step  toward  such  an  assess¬ 
ment,  this  article  tests  one  of  the  more 
robust  frameworks,  known  as  the  Schmitt 
Analysis,  by  applying  it  to  Stuxnet.  Devel¬ 
oped  in  1999  by  Professor  Michael  Schmitt, 
it  is  one  of  the  most  academically  rigorous 
and  frequently  cited  frameworks  for  char¬ 
acterizing  cyber  operations.  The  Schmitt 
Analysis  consists  of  seven  factors  that  states 
are  likely  to  consider  when  character¬ 
izing  cyber  activities:  severity,  immediacy, 
directness,  invasiveness,  measurability, 
presumptive  legitimacy,  and  responsibility. 

A  key  feature  of  the  framework  is  that  it 
remains  faithful  to  Article  2(4)  of  the  UN 
Charter  while  at  the  same  time  effectively 
bridging  key  elements  of  competing  analytic 
frameworks  that  do  not  exhibit  such  fidelity 
to  the  Charter.  By  focusing  this  evaluation 
on  Schmitt’s  model,  I  expect  the  results  will 
have  implications  for  the  use- of- force  debate 
more  generally. 

The  article  begins  with  a  discussion 
of  why,  as  a  practical  matter,  discerning  a 
peacetime  use-of-force  threshold  in  cyber¬ 
space  is  important.  Next,  I  detail  the  Article 
2(4)  prohibition  on  the  use  of  force  and  the 


difficulty  applying  it  in  the  cyber  context.  I 
then  review  Schmitt’s  model  and  perform 
a  Schmitt  Analysis  of  Stuxnet.  Finally,  I 
examine  what  the  analysis  of  Stuxnet  reveals 
about  the  framework’s  continued  utility 
and  relevance.  Overall,  I  find  that  Schmitt’s 
underlying  analytical  approach  remains 
sound— that  is,  the  best  way  to  characterize 
the  lawfulness  of  peacetime  cyber  operations 


is  to  predict  how  states  will  characterize  them. 
That  said,  the  Stuxnet  analysis  reveals  several 
limitations  with  Schmitt’s  framework,  while 
also  highlighting  opportunities  to  broaden  it. 
More  importantly,  I  conclude  that  the  time 
has  come  to  relax  the  model’s  strict  adherence 
to  the  UN  Charter  because  Article  2(4)  is  just 
one  of  several  factors  that  states  are  likely  to 
consider  when  characterizing  the  lawfulness 
of  cyber  operations. 

Why  the  Use-of-Force 
Threshold  Matters 

Cyberspace  represents  a  strategic 
vulnerability  for  many  states  because  it  is 
inextricably  tied  in  to  their  economies,  criti¬ 
cal  infrastructures,  and  even  their  national 
security  apparatus.  Compounding  these 
concerns  is  the  fact  that  a  wide  range  of 
actors  have  proven  adept  at  exploiting  these 
vulnerabilities.  Cybercrime,  for  example,  is 
now  estimated  to  exceed  $1  trillion  globally 
per  year.7  Even  the  most  secure  U.S.  defense 
networks  are  not  immune.8  The  scope  of  the 
problem  has  become  so  great  that  some  claim 
the  United  States  is  engaged  in  a  cyber  war, 
and  that  it  is  losing.9  The  National  Security 
Strategy  of  2010  notes  that  “cybersecurity 
threats  represent  one  of  the  most  serious 
national  security,  public  safety,  and  economic 
challenges  we  face  as  a  nation.”10  The  White 
House’s  International  Strategy  for  Cyberspace 
of  2011  goes  further  by  proclaiming:  “When 
warranted,  the  United  States  will  respond  to 
hostile  acts  in  cyberspace  as  we  would  to  any 
other  threat  to  our  country,”  to  include  a  mili¬ 
tary  response.11 

Against  this  backdrop,  discerning  a 
cyber  use-of-force  threshold  becomes  impor¬ 
tant  for  a  number  of  reasons.  Foremost  is  that 
characterizing  cyber  operations  is  a  precon¬ 
dition  to  determining  which  legal  regime 


governs  state  behavior.12  If  state-sponsored 
cyber  activities  constitute  a  use  of  force, 
then  international  law  governing  the  use  of 
force  (jus  ad  helium)  and  the  Law  of  Armed 
Conflict  (jus  in  hello)  apply.  In  appropriate 
circumstances,  this  could  trigger  a  state’s  right 
to  self-defense  and  thereby  permit  a  forceful, 
perhaps  even  armed  response.  In  contrast, 
non-state-sponsored  cyber  operations  and 
operations  not  amounting  to  a  use  of  force  are 
traditionally  governed  by  more  constrained 
law  enforcement  regimes.13 

The  need  for  clarity  has  taken  on  greater 
importance  now  that  the  United  States  and 
many  of  its  allies  treat  cyberspace  as  a  military 
operational  domain.14  Accordingly,  discerning 
a  use-of-force  threshold  would  seem  to  be  nec¬ 
essary  for  a  wide  range  of  peacetime  military 
activities,  such  as  defining  the  spectrum  of 
permissible  peacetime  cyber  operations,  such 
as  computer  network  exploitation;  develop¬ 
ing  peacetime  cyber  rules  of  engagement; 
identifying  appropriate  approval  authorities; 
assigning  appropriate  agency  responsibilities 
and  resources;  signaling  adversaries  and  allies 
as  part  of  a  deterrence  strategy;  recognizing 
when  treaty  obligations  have  been  triggered; 
and  determining  whether  UN  Security 
Council  authorization  is  required  to  conduct 
certain  operations. 

The  Use  of  Force  in  Cyberspace 

Notwithstanding  the  need  for  clarity 
discussed  above,  there  is  no  international 
consensus  on  what  constitutes  a  use  of  force  in 
cyberspace,  nor  does  it  appear  a  mechanical 
rule  is  likely  to  emerge  any  time  soon.15  This 
section  describes  why  ambiguity  persists  and 
the  various  solutions  that  have  been  proposed 
to  resolve  it.  After  summarizing  the  relevant 
law  governing  the  use  of  force  in  international 
relations,  I  highlight  the  technical,  legal,  and 
political  challenges  of  applying  existing  norms 
within  cyberspace. 

Use  of  Force  Under  the  UN  Charter. 

Jus  ad  helium16  describes  the  law  governing 
the  transition  from  peace  to  armed  conflict. 
Though  grounded  in  customary  international 
law,  the  black  letter  principles  of  jus  ad  helium 
are  now  contained  in  Article  2(4)  of  the  UN 
Charter,  which  prohibits  states  from  the 
“threat  or  use  of  force”  in  their  international 
relations.  Several  features  of  this  prohibition 
are  problematic  in  the  cyber  context.  First, 
Article  2(4)  only  pertains  to  international 
relations  between  sovereign  states— it  does 
not  proscribe  the  conduct  of  nonstate  actors, 
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who  appear  to  be  the  source  of  most  mali¬ 
cious  cyber  activity.  Also,  as  noted  above, 
the  Charter  does  not  define  the  phrase  use  of 
force.  Finally,  Article  2(4)  does  not  provide 
any  exceptions  to  the  prohibition  on  the 
unilateral  use  of  force,  nor  does  it  prescribe 
remedies  for  unauthorized  uses  of  force.  Such 
exceptions  and  remedies  are  found  in  chapter 
VII  of  the  Charter  which,  unlike  Article  2(4), 
is  not  limited  to  relations  between  states  and 
employs  thresholds  quite  distinct  from  the 
use-of-force  standard.17  Importantly,  it  is  not 
the  use  of  force,  but  rather  an  “armed  attack” 
that  triggers  a  state’s  right  to  use  force  in 
self-defense.18 

Although  use  of  force  is  not  defined, 
an  approximate  threshold  has  emerged 
through  consideration  of  the  Charter’s 
preparatory  work,  state  practice,  and 
opinio  juris.19  First,  the  framers  of  the 


v.  United  States  (hereinafter  Nicaragua ), 
when  it  concluded  that  arming  and  train¬ 
ing  guerrillas  amounted  to  a  prohibited 
use  of  force,  even  though  it  did  not  rise  to 
the  level  of  an  armed  attack.25  Accordingly, 
the  use  of  force  threshold  has  traditionally 
been  viewed  as  lying  somewhere  between 
purely  economic  and  political  coercion  on 
the  one  hand  and  activities  that  result  in 
physical  damage  or  injury  on  the  other.26 
As  discussed  below,  discerning  a  clear 
use-of-force  threshold  in  this  gray  area— a 
difficult  task  even  in  traditional  kinetic 
context— has  proven  particularly  difficult 
in  the  cyber  context.27 

Use  of  Force  in  Cyberspace.  The  dif¬ 
ficulty  of  applying  Article  2(4)  in  cyberspace 
is  that  the  instrument-based  paradigm  does 
not  cleanly  translate  to  cyber  operations, 
particularly  for  gray  area  operations  that  do 


discerning  the  use-of-force  threshold  is  really  about 
predicting  how  states  will  respond  to  cyber  incidents  in 
light  of  prevailing  international  norms 


Charter  took  an  instrument-based,  vice 
consequence-based,  approach  to  the  use  of 
force  prohibition.20  While  acknowledging 
that  states  are  most  concerned  about  the 
consequences  of  coercive  activities  (that 
is,  the  degree  of  injury,  deprivation,  or 
destruction),  the  framers  recognized  that  a 
consequence-based  criterion  was  too  sub¬ 
jective  to  distinguish  lawful  from  unlawful 
state  coercion.21  Because  the  term  force 
connotes  violence,  injury,  and  destruc¬ 
tion-consequences  that  pose  the  greatest 
threat  to  international  peace  and  security— 
they  adopted  the  instrument-based  use-of- 
force  standard  as  prescriptive  shorthand. 
According  to  Professor  Schmitt,  such  an 
approach  “eases  the  evaluative  process  by 
simply  asking  whether  force  has  been  used, 
rather  than  requiring  a  far  more  difficult 
assessment  of  the  consequences  that  have 
resulted.”22  According  to  this  approach,  the 
Article  2(4)  prohibition  does  not  extend  to 
all  forms  of  state  coercion.  For  example, 
the  instruments  of  economic  and  political 
coercion  are  not  prohibited.23  Less  clear, 
but  generally  accepted,  is  that  the  prohibi¬ 
tion  is  not  limited  to  “armed”  force— it 
may  also  encompass  unarmed,  nonmilitary 
physical  force,  such  as  releasing  water 
from  a  dam.24  The  International  Court  of 
Justice  highlighted  this  point  in  Nicaragua 


not  result  in  physical  harm.28  According  to  a 
strict  instrument-based  interpretation,  even 
highly  disruptive  peacetime  cyber  operations 
may  not  qualify  as  a  use  of  force  because  they 
lack  the  traditional  kinetic  characteristics 
associated  with  armed  force.29  Most  commen¬ 
tators  reject  this  strict  interpretation  because 
of  the  potential  widespread  destabilizing 
consequences  of  cyber  operations.  That  said, 
by  focusing  on  consequences  to  determine 
whether  prohibited  force  has  been  used,  these 
commentators  call  Article  2(4)’s  instrument- 
based  paradigm  into  question. 

The  perceived  shortcomings  of  Article 
2(4)  have  led  many  to  propose  a  new  treaty  law 
to  govern  cyber  operations.30  Others  counter 
that  states  are  unlikely  to  negotiate  any 
meaningful  treaties  in  the  foreseeable  future. 
They  argue  that  divergent  strategic  interests 
and  significant  attribution  problems  make 
treaty  enforcement  unrealistic.  They  suggest 
that  existing  international  norms,  though 
imperfect,  are  adequate  for  extrapolating 
general  principles  governing  the  use  of  force 
in  cyberspace  and  urge  gradual  expansion  of 
international  norms  within  the  Article  2(4) 
framework. 

Over  the  past  two  decades,  proponents 
of  this  gradualist  approach  have  developed 
several  analytic  frameworks  to  characterize 
the  legality  of  cyber  operations.  First  is  the 


“effects-based”  approach,  which  states  that 
the  quantum  of  damage,  and  not  the  means 
of  attack,  is  all  that  matters.  The  advantage  of 
this  approach— which  is  generally  favored  by 
U.S.  policymakers  and  military  operators— is 
that  it  is  fairly  simple  to  apply  and  it  acknowl¬ 
edges  that  states  are  principally  concerned 
about  consequences.  The  drawback  is  that  it 
represents  a  hard  break  from  the  Charter’s 
instrument-based  approach  and  thereby  relies 
on  inherently  subjective  assessments  among 
states  that  have  divergent  strategic  capabili¬ 
ties,  vulnerabilities,  and  interests.  A  second 
approach  relies  upon  kinetic  equivalency, 
arguing  that  cyber  operations  constitute  a 
use  of  force  only  if  the  damage  they  cause 
could  previously  have  been  achieved  only  by 
a  kinetic  attack.31  This  framework  generally 
adheres  to  the  Charter’s  instrument-based 
approach,  but  it  struggles  to  characterize 
hostile  gray  area  cyber  operations— such  as 
projecting  false  targets  on  an  adversary’s  early 
warning  radars— that  do  not  result  in  physical 
damage.  A  third  approach  applies  a  “strict 
liability”  test  for  any  cyber  operations  that 
target  a  state’s  critical  infrastructure  and  vital 
interests  because  of  the  severe  consequences 
that  could  result  from  such  attacks.  According 
to  this  model,  the  mere  penetration  of  such 
systems— such  as  power  production,  stock 
exchanges,  and  air  traffic  control— can  con¬ 
stitute  evidence  of  hostile  intent  and  thereby 
trigger  the  right  of  self-defense.32  This  frame¬ 
work  suffers  from  the  inherent  subjectivity 
of  defining  what  constitutes  “critical  infra¬ 
structure  and  vital  interests,”  and  because  it 
expands  the  gray  area  to  encompass  activities 
such  as  computer  network  exploitation  that 
are  not  currently  prohibited  by  international 
law.  Professor  Schmitt’s  framework  represents 
the  fourth  major  model. 

Schmitt  Analysis 

Professor  Schmitt  recognized  that 
discerning  the  use-of-force  threshold  is  really 
about  predicting  how  states  will  characterize 
and  respond  to  cyber  incidents  in  light  of  pre¬ 
vailing  international  norms.33  To  aid  in  such 
predictions,  his  framework  bridges  the  instru¬ 
ment-  and  consequence-based  approaches. 

In  keeping  with  the  Article  2(4)  instrument- 
based  standard,  his  model  consists  of  seven 
factors  that  represent  the  major  distinctions 
between  permissible  (that  is,  economic  and 
political)  and  impermissible  (armed)  instru¬ 
ments  of  coercion.34  When  applying  these 
factors,  the  more  closely  the  attributes  of  a 
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cyber  operation  approximate  the  attributes 
of  armed  force,  the  more  likely  states  are  to 
characterize  the  operation  as  a  prohibited  use 
of  force.  The  Schmitt  Analysis  factors  consist 
of  the  following: 

■  Severity:  Cyber  operations  that 
threaten  physical  harm  more  closely  approxi¬ 
mate  an  armed  attack.  Relevant  factors  in  the 
analysis  include  scope,  duration,  and  intensity. 

■  Immediacy:  Consequences  that  mani¬ 
fest  quickly  without  time  to  mitigate  harmful 
effects  or  seek  peaceful  accommodation  are 
more  likely  to  be  viewed  as  a  use  of  force. 

■  Directness:  The  more  direct  the  causal 
connection  between  the  cyber  operation  and 
the  consequences,  the  more  likely  states  will 
deem  it  to  be  a  use  of  force. 

■  Invasiveness:  The  more  a  cyber 
operation  impairs  the  territorial  integrity  or 
sovereignty  of  a  state,  the  more  likely  it  will  be 
viewed  as  a  use  of  force. 

■  Measurability:  States  are  more  likely  to 
view  a  cyber  operation  as  a  use  of  force  if  the 
consequences  are  easily  identifiable  and  objec¬ 
tively  quantifiable. 


■  Presumptive  legitimacy:  To  the  extent 
certain  activities  are  legitimate  outside  of  the 
cyber  context,  they  remain  so  in  the  cyber 
domain,  for  example,  espionage,  psychological 
operations,  and  propaganda. 

■  Responsibility:  The  closer  the  nexus 
between  the  cyber  operation  and  a  state,  the 
more  likely  it  will  be  characterized  as  a  use 
of  force.35 

According  to  Professor  Schmitt, 
evaluating  these  factors  is  an  imprecise  and 
subjective  endeavor.  The  factors  are  useful 
but  not  determinative,  and  they  should  not  be 
applied  mechanically.  Rather,  they  need  to  be 
applied  holistically  according  to  the  relevant 
context— that  is,  which  factors  are  important 
and  how  they  should  be  weighted  will  vary 
on  a  case-by-case  basis.  Moreover,  he  never 
intended  the  factors  to  be  exhaustive,  though 
they  are  often  treated  as  such.36  Finally,  the 
framework  is  more  useful  for  post  hoc  forensic 
analysis  of  particular  cyber  attacks  than  for 
characterizing  real-time  operations.37 

Professor  Schmitt  also  acknowledged 
that  his  adherence  to  the  Article  2(4) 


instrument-based  paradigm  appears  tortu¬ 
ous,  particularly  given  the  appeal  of  simple 
effects-based  frameworks.  However,  he 
reasoned  that  such  adherence  is  necessary  to 
properly  describe  where  the  cyber  use  of  force 
threshold  lies  under  prevailing  standards— in 
contrast  to  the  other  leading  models,  which 
prescribe  new  standards  for  where  the  use  of 
force  threshold  should  lie.38  He  also  believed 
that  “reference  to  the  instrument-based  short¬ 
hand  facilitates  greater  internal  consistency 
and  predictability  within  the  preexisting 
framework. ...  As  a  result,  subscription  by 
the  international  community  is  more  likely, 
and  application  should  prove  less  disruptive 
and  controversial.”39  In  the  end,  the  Schmitt 
Analysis  has  generally  stood  the  test  of  time 
and  remains  one  of  the  most  commonly  refer¬ 
enced  frameworks  for  characterizing  the  use 
of  force  in  cyberspace. 

Characterizing  Stuxnet 

Stuxnet  has  been  described  as  a  game 
changer— the  first  digital  “fire  and  forget” 
precision-guided  munition  and  perhaps  the 
first  peacetime  act  of  cyberwar.40  According 


ndupress.ndu.edu 


issue  67, 4  th  quarter  2012  /  JFQ  43 


ESSAY  WINNERS  |  Cyber  "Use-of-Force"  Debate 


to  reports,  the  Stuxnet  worm  was  designed  to 
target  gas  centrifuges  used  in  Iran’s  uranium 
enrichment  program  in  Natanz.  Specifically, 
the  worm  exploited  the  software  used  in 
programmable  logic  controllers  (PLCs)  manu¬ 
factured  by  Siemens.  These  PLCs  controlled 
frequency  converter  drives  that,  in  turn,  con¬ 
trolled  the  speed  of  the  centrifuges.  By  manip¬ 
ulating  the  speed  of  already  temperamental 
and  frequency- sensitive  centrifuges  over  time 
(weeks  and  perhaps  months),  Stuxnet  caused 
as  many  as  1,000  of  the  centrifuges  to  break. 
Estimates  suggest  Stuxnet  set  Iran’s  nuclear 
program  back  by  several  years.41 

Although  some  have  described  Stuxnet ’s 
code  as  a  relatively  unsophisticated  “Fran¬ 
kenstein  patchwork  of  existing  tradecraft, 
code  and  best  practices  drawn  from  the  global 
cyber- crime  community,”  its  true  sophistica¬ 
tion  lies  in  the  synergy  of  its  components 
and  its  method  of  infection.42  First,  Stuxnet ’s 
designers  required  incredibly  precise  intel¬ 
ligence  about  Iran’s  PLCs  and  frequency 
converters,  as  well  as  the  performance 
parameters  of  its  centrifuges.43  Second,  the 
malware  was  self-replicating  and  designed  to 
infect  systems  that  were  not  connected  to  the 
Internet  (“air-gapped”),  thereby  requiring  the 
use  of  intermediary  devices  such  as  thumb 
drives.  Stuxnet  also  employed  four  “zero -day” 
exploits44  and  two  stolen  digital  signatures 
to  gain  access  to  targeted  systems.  Finally, 
Stuxnet  appears  to  have  been  designed  to 


avoid  collateral  damage.45  If  the  malware  did 
not  detect  the  specific  software-hardware  con¬ 
figuration  associated  with  Iran’s  enrichment 
program,  the  program  would  lie  dormant.  It 
was  also  designed  to  delete  itself  from  thumb 
drives  after  infecting  three  machines,  and 
it  contained  a  built-in  self-destruct  feature. 
Thus,  even  though  the  worm  is  reported  to 
have  infected  more  than  100,000  hosts  in  155 
countries,  60  percent  of  the  infections  were 
localized  to  Iran,  and  there  are  no  reports  of 
physical  damage  outside  of  Iran.46  Although 
no  one  has  claimed  responsibility  for  Stuxnet, 
it  has  the  signature  of  a  state  operation.47  Most 
speculation  and  some  anecdotal  evidence 
points  to  Israel,  with  possible  support  from 
the  United  States  and/or  Germany.48 

Although  there  is  an  emerging  consen¬ 
sus  that  Stuxnet  constituted  a  use  of  force, 
there  is  value  in  looking  beyond  the  physical 
damage  to  see  what  the  operation  reveals 
about  the  strengths  and  weaknesses  of  exist¬ 
ing  analytic  frameworks,  such  as  the  Schmitt 
Analysis.  Accordingly,  the  following  analysis 
is  offered  not  only  to  characterize  Stuxnet,  but 
to  help  evaluate  Schmitt’s  framework. 

Severity :  According  to  this  criterion, 
Stuxnet  is  per  se  a  use  of  force  because  it 
caused  physical  damage.  Moreover,  the 
damage  was  inflicted  upon  a  critical  Iranian 
interest— its  nuclear  program.  By  setting 
Iran’s  nuclear  program  back  several  years, 
the  duration  of  Stuxnet ’s  consequences  also 


supports  characterizing  it  as  a  use  of  force— 
though  this  delay  is  due  to  sanctions  that  bar 
Iran  from  legitimately  acquiring  new  centri¬ 
fuges.  It  is  also  worth  noting  that  the  scope 
of  the  actual  damage  appears  to  have  been 
relatively  minor  and  fairly  discrete,  and  that  it 
posed  no  apparent  risk  of  harm  to  personnel. 

Immediacy :  According  to  this  factor, 
Stuxnet  would  probably  not  be  viewed  as  a 
use  of  force.  The  attack,  which  consisted  of  at 
least  three  waves  over  10  months,  took  time 
to  evolve.49  More  importantly,  once  a  targeted 
system  was  infected,  it  appears  the  damage 
took  weeks  or  even  months  to  manifest.  Given 
the  nature  of  how  the  attack  unfolded,  there 
was  and  remains  adequate  opportunity  for 
Iran  to  mitigate  the  harmful  effects  and  to 
seek  peaceful  accommodation.  That  said, 
given  the  physical  damage  inflicted,  imme¬ 
diacy  is  probably  not  a  factor  that  warrants 
much  emphasis  in  this  analysis. 

Directness :  There  appears  to  be  a  direct 
causal  connection  between  Stuxnet  and  the 
damaged  centrifuges. 

Invasiveness :  Stuxnet  represents  a 
significant  intrusion  on  Iranian  sovereignty. 
Not  only  does  it  appear  to  have  crossed  inter¬ 
national  borders,  but  it  targeted  sensitive  and 
highly  secure  systems  that  were  air-gapped 
from  the  Internet.  That  said,  Stuxnet  would 
have  been  just  as  invasive  if  it  had  simply 
collected  intelligence  on  the  inner  workings 
of  the  Natanz  facility— an  activity  the  interna- 
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tional  community  would  likely  not  regard  as  a 
use  of  force. 

Measurability :  Taking  into  account  the 
already  high  failure  rate  of  Iran’s  centrifuges, 
the  consequences  attributed  to  Stuxnet  appear 
both  quantifiable  and  identifiable. 

Presumptive  legitimacy :  Stuxnet  does 
not  enjoy  presumptive  legitimacy.  Short  of 
UN  Security  Council  authorization  or  actions 
taken  in  self-defense— both  of  which  would 
constitute  lawful  uses  of  force— there  is  no 
customary  acceptance  within  the  interna¬ 
tional  community  for  damaging  another 
state’s  nuclear  facilities.  Even  so,  it  is  worth 
considering  the  effect  of  existing  Iranian 
sanctions  upon  this  analysis.  First,  Iran 
cannot  import  or  export  nuclear-related  mate¬ 
rials  or  technology.  If  such  Iranian-owned 
nuclear  materials  are  discovered  outside 
of  Iran,  they  can  be  lawfully  seized  and 
destroyed.  Second,  prior  to  Stuxnet,  Iran  had 
been  operating  its  centrifuges  for  several  years 
in  violation  of  multiple  UN  Security  Council 
Resolutions.50  Although  these  points  may 
relate  more  to  whether  Stuxnet  constituted  a 
lawful  use  of  force,  they  also  seem  to  bear  on 
the  factor  of  presumptive  legitimacy. 


Responsibility:  Although  no  state  has 
claimed  responsibility  for  Stuxnet,  the  worm’s 
purpose  and  design  strongly  suggest  state 
involvement.  That  said,  it  is  possible  that 
Stuxnet  was  created  and  launched  by  nonstate 
actors— such  as  Iranian  dissidents  working 
with  freelance  hackers — in  which  case  it 
would  not  be  subject  to  international  laws 
governing  the  use  of  force. 

On  balance,  the  Schmitt  Analysis  sug¬ 
gests  most  states  would  characterize  Stuxnet 
as  a  use  of  force.  The  worm  was  highly  inva¬ 
sive,  caused  direct  and  measurable  physical 
damage,  lacked  a  clear  presumption  of  legiti¬ 
macy,  and  probably  involved  state  support. 

What  does  the  foregoing  analysis  of 
Stuxnet  reveal  about  the  continued  useful¬ 
ness  of  Professor  Schmitt’s  framework?  Most 
importantly,  the  model’s  underlying  analytic 
approach  appears  sound— that  is,  discerning 
the  use  of  force  threshold  entails  predicting 
how  states  will  characterize  cyber  operations. 
That  said,  the  analysis  reveals  several  limita¬ 
tions  with  the  framework,  as  well  as  opportu¬ 
nities  for  its  expansion. 

First,  it  appears  that  in  any  given 
Schmitt  Analysis,  the  characterization  of 


a  cyber  operation  may  be  derived  from  a 
single  factor:  severity  of  the  consequences. 

If  true,  then  the  framework  could  arguably 
be  reduced  to  an  effects-based  model  with 
little  remaining  affinity  with  the  Article  2(4) 
instrument-based  paradigm.  To  illustrate  the 
point,  what  if  instead  of  damaging  Iranian 
centrifuges  Stuxnet  achieved  the  same  effects 
by  causing  the  centrifuges  to  operate  inef¬ 
ficiently  or  not  at  all?  Except  for  severity,  each 
of  Schmitt’s  factors  would  likely  be  evaluated 
the  same.  It  is  debatable,  though,  whether 
the  international  community  would  consider 
such  an  operation  a  prohibited  use  of  force. 
This  is  not  to  suggest  that  the  other  factors 
are  irrelevant,  but  it  highlights  what  Professor 
Schmitt  himself  acknowledged:  “severity  is 
self-evidently  the  most  significant  factor  in 
the  analysis.”51 

Next,  the  characteristics  of  Stuxnet 
and  its  intended  target  suggest  at  least  one 
additional  factor  that  may  be  relevant  when 
performing  a  Schmitt  Analysis:  apparent 
compliance  with  the  Law  of  Armed  Conflict 
(LOAC).52  Assuming  reports  are  true,  the 
fact  that  Stuxnet  was  targeted  so  precisely 
and  designed  to  minimize  collateral  damage 
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reveals  something  about  the  identity  and 
intent  of  its  creators.  First,  it  reinforces  the 
notion  that  Stuxnet  was  a  state- sponsored 
operation,  which  is  important  because  Article 
2(4)  only  regulates  state  conduct.  Second,  it 
suggests  Stuxnet ’s  creators  were  concerned 
about  complying  with  LOAC,  particularly  the 
principles  of  military  necessity,  distinction, 
and  proportionality.53  Thus,  the  responsible 
state  apparently  regarded  Stuxnet  as  the 
equivalent  of  an  armed  attack  and  executed 
the  operation  as  such.  Since  an  armed  attack 
constitutes  a  use  of  force,  the  implication  is 
that  states  are  more  likely  to  characterize 
cyber  attacks  as  a  use  of  force  if  they  appear  to 
comply  with  LOAC— even  in  gray  area  opera¬ 
tions  that  do  not  result  in  actual  damage. 

A  third  observation  involves  one  of 
the  most  technically  challenging  aspects  of 
cyber  operations:  attribution.  For  Article  2(4) 
and  the  principles  of  jus  ad  helium  to  apply, 


the  responsible  party  must  be  identified  as  a 
state.54  As  noted  above,  without  reliable  attri¬ 
bution  states  generally  must  respond  to  cyber 
operations  as  a  law  enforcement  problem.  Yet 
each  of  the  prevailing  frameworks,  includ¬ 
ing  the  Schmitt  Analysis,  treats  attribution 
as  a  condition  precedent  to  any  use-of-force 
analysis.55  In  other  words,  without  attribution, 
a  Schmitt  Analysis  offers  limited  practical 
value.  But  if  state  attribution  can  be  estab¬ 
lished,  it  is  questionable  whether  a  Schmitt 
Analysis  would  be  necessary  because  more 
revealing  indicators  should  be  discernable, 
such  as  motive  and  intent. 

Next,  to  the  extent  state  attribution 
bears  on  the  characterization  of  cyber 
operations,  so  too  should  the  victim  state’s 
response.  As  the  International  Court  of  Justice 
noted  in  Nicaragua :  “it  is  the  State  which  is 
the  victim  of  an  armed  attack  which  must 
form  and  declare  the  view  that  it  has  been  so 


attacked.”56  Although  Iran  has  acknowledged 
the  presence  of  Stuxnet  in  its  systems,  it 
has  denied  any  significant  damage  and  has 
never  claimed  that  it  was  subject  to  an  armed 
attack.  As  U.S.  Cyber  Commands  top  lawyer, 
Colonel  Gary  Brown,  has  commented:  “Iran’s 
non-position’  on  the  Stuxnet  event  has  been 
frustrating  to  practitioners  in  the  field  of 
cyberspace  operations.  Finally,  there  was  a 
well- documented,  unambiguous  cyber  attack 
to  dissect!  And  yet  there  was  little  official 
discussion  of  the  issue  because  Iran  passed  up 
its  opportunity  to  complain  of  an  unjustified 
attack.”57  Unfortunately,  Professor  Schmitt’s 
framework  does  not  address  the  implications 
of  such  state  inaction.  It  remains  to  be  seen 
what,  if  any,  impact  Iran’s  “non-position”  has 
on  the  development  of  use  of  force  norms  in 
cyberspace. 

A  more  significant  observation  relates 
to  Professor  Schmitt’s  premise  that  states 
will  principally  rely  upon  existing  norms, 
particularly  Article  2(4),  when  making  use- 
of-force  determinations  in  cyberspace.  As 
some  commentators  predicted— and  Stuxnet 
demonstrated— Article  2(4)  has  proven  to  be  a 
“weak  constraint  on  offensive  cyber-attacks.”58 
This  is  due,  in  part,  to  the  difficulty  of  observ¬ 
ing,  measuring,  and  attributing  cyber  opera¬ 
tions.  More  importantly,  it  reflects  the  fact 
that  international  law  is  not  static  and  that  the 
principles  of  jus  ad  helium  are  not  the  exclu¬ 
sive  province  of  the  UN  Charter.59  Whereas 
contemporary  interpretations  of  Article  2(4) 
reflect  the  distribution  of  traditional  instru¬ 
ments  of  power— that  is,  political,  military, 
and  economic  strength— the  current  array  of 
cyber  capabilities  and  vulnerabilities  does  not 
mirror  the  traditional  distribution.60  Conse¬ 
quently,  states  with  significant  cyber  capabili¬ 
ties  or  vulnerabilities— regardless  of  their 
political,  military,  or  economic  strength— are 
likely  to  consider  factors  well  beyond  Article 
2(4)  when  characterizing  the  legality  of  cyber 
operations.  Such  additional  considerations 
may  include  relative  cyber  strengths  and 
vulnerabilities;  strategic  risks  and  opportuni¬ 
ties;  scope  of  potential  consequences;  ability 
to  control  escalation;  effectiveness  of  cyber 
deterrence;  potential  reactions  by  adversar¬ 
ies,  allies,  and  international  organizations; 
domestic  politics;  state  declaratory  policies; 
emerging  state  practice  (including  state  inac¬ 
tion);  attribution  problems;  and  other  legal, 
political,  and  technical  constraints.61  More¬ 
over,  given  the  novelty  of  cyberspace,  different 
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states  will  likely  weigh  their  strategic  risks  and 
opportunities  very  differently 

Perhaps  these  additional  considerations 
explain  why  there  has  been  so  little  academic 
debate  about  the  legal  implications  of  Stuxnet. 
Even  though  most  states  would  probably 
agree  that  Stuxnet  constituted  a  use  of  force 
under  Article  2(4),  they  may  be  reluctant  to 
characterize  the  attack  as  unlawful  since,  by 
targeting  an  illicit  program  in  a  pariah  state, 
it  was  justifiable.  In  this  regard,  it  is  worth 
noting  that  Stuxnet’s  objective  was  consistent 
with  multiple  UN  Security  Council  mandates 


and  it  promoted  those  mandates  without 
resorting  to  armed  force.  Thus,  it  remains 
to  be  seen  whether  Stuxnet  represents  a  new 
form  of  tacitly  condoned  cyber  vigilante-ism, 
or  whether  the  perpetrator(s)  will  eventually 
be  held  in  contempt.  Either  way,  Iran’s  “non¬ 
position”  has  made  it  easy  for  the  interna¬ 
tional  community  to  sidestep  the  issue. 

Conclusion 

Although  Professor  Schmitt’s  analytic 
approach  to  characterizing  cyber  operations 
remains  sound,  the  analysis  of  Stuxnet  reveals 
several  shortcomings  with  his  model.  These 
include  severity  of  the  consequences  as  a 
potentially  determinative  factor,  attribution 
as  a  condition  precedent  to  a  use  of  force 
analysis,  and  failure  to  account  for  a  victim 
state’s  “non-position”  toward  a  particular 
cyber  operation.  This  analysis  also  reveals 
at  least  one  additional  factor  states  may 
consider  when  characterizing  cyber  opera¬ 
tions— whether  an  attack  appears  to  comply 
with  LOAC. 

More  importantly,  this  analysis  suggests 
the  time  has  come  to  relax  the  model’s  strict 
adherence  to  the  Article  2(4)  instrument- 
based  paradigm.  By  tying  his  framework  to 
Article  2(4),  Professor  Schmitt  anticipated 
more  consistent,  predictable,  and  relatively 
objective  characterizations  of  force  in  cyber¬ 
space.  However,  state  practice  over  the  last 
decade  suggests  that  states  will  treat  Article 
2(4)  as  just  one  of  several  factors  to  consider 
when  characterizing  cyber  operations.62  As 
Professor  Schmitt  himself  acknowledged,  as 
state  practice  emerges,  other  considerations 
and  normative  approaches— such  as  greater 
emphasis  on  consequences— may  come  to 


dominate  the  analysis.63  In  light  of  recent 
events  in  Estonia,  Georgia,  and  Iran,  it 
appears  that  time  has  come. 

The  Schmitt  Analysis  of  Stuxnet  also 
has  implications  for  the  broader  debate  over 
the  use  of  force  in  cyberspace.  For  one  thing, 
the  lack  of  discussion  over  the  legal  implica¬ 
tions  of  Stuxnet  demonstrates  that  states  are 
unlikely  to  reach  consensus  on  what  consti¬ 
tutes  a  cyber  use  of  force  any  time  soon.  The 
lack  of  a  discernable  threshold  also  suggests 
that  state-sponsored  gray  area  cyber  attacks 
are  more  likely.64  Consequently,  policymak¬ 


ers  and  cyber  practitioners  and  their  legal 
advisors  must  be  prepared  to  operate  in  an 
ambiguous  and  contested  legal  environment, 
while  at  the  same  time  shaping  new  norms 
of  acceptable  state  conduct.65  In  the  end, 
these  evolving  norms  are  not  likely  to  be  con¬ 
strained  by  Article  2(4)’s  narrow  prohibition 
on  the  use  of  force.  Rather,  they  will  likely 
reflect  the  new  realities  and  unique  features 
of  cyberspace,  such  as  cyber’s  potentially 
devastating  consequences,  the  nontraditional 
distribution  of  cyber  capabilities  and  vulner¬ 
abilities,  and  the  international  community’s 
response  (or  lack  thereof)  to  seminal  events 
like  Stuxnet.  JFQ 
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